Privacy policy
This privacy policy informs you of the type, extent and purpose of the processing of personal data (hereinafter “data”) within our online offer and the websites, function and contents connected with it, as well as external online presences including our media profile (hereinafter “online offer). Regarding the terminology used, such as “processing” or “data controller”, we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Data controller
Filmtimer GmbH (hereinafter "Ft")
Düsterntwiete 55
22549 Hamburg
Email address: info@filmtimer.com
Managing director / owner: Benjamin Schubert
Imprint
Types of processed data:
- Basic data (e.g.names, addresses).
- Contact data (e.g. email, telephone numbers).
- Content data (e.g. text entries, photographs, videos).
- Usage data (e.g. visited web sites, contents of interest, access times).
- Meta-/communication data (e.g.., device information, IP addresses).
Categories of data subjects:
Visitors and users of the online offer (data subjects are hereinafter summarised as “users”)
Purpose of processing
- Provision of the online offer, its functions and contents.
- Replying to contact requests and communication with users.
- Security measures
- Reach assessment/marketing
Terminology:
”Personal data” are all data that refer to identified or identifiable natural persons (hereinafter “data subject”); a natural person that can be directly or indirectly identified by means of assignation to an identifier such as a name, an identification number, location data, to an online identification (e.g. cookie), or to one or several particulars that are expressions of the physiological, genetic, psychological, economic, cultural or social identity of this natural person.
“Processing” means any operation, or series of operations, that is carried out with or without the help of automated procedures in connection with person-specific data. The term is comprehensive and includes virtually any handling of data.
“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
Any natural or legal person, authority, establishment or other institution that can, alone or in conjunction with others, decide upon the purposes and means of processing of person-specific data is referred to “data controller”.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller;
Relevant legal bases
Pursuant to Art. 13 GDPR, we hereby notify you of the legal bases of our data processing operations. Insofar as the legal basis is not identified in the privacy policy, the following applies: The legal basis for obtaining consent is laid down in Art. 6 para. 1 lit. a) and Art. 7 GDPR; the legal basis for processing data in order to perform our services, to implement the measures provided for in the contract and to respond to queries is laid down in Art. 6 para. 1 lit. b) GDPR; the legal basis for processing data in order to fulfil our legal obligations is laid down in Art. 6 para. 1 lit. c) GDPR and the legal basis for processing data in order to safeguard our legitimate interests is laid down in Art. 6 para. 1 lit. f) GDPR. Art. 6 para. 1 lit. d) GDPR serves as the legal basis should the vital interests of a data subject or another natural person require that personal data should be processed.
Security measures:
Pursuant to Art. 32 GDPR and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, availability and separation. In addition, we have established procedures that ensure the enjoyment of data subject rights, data erasure, and reaction to data vulnerability. Furthermore, we take into account the protection of personal data in the development and/or selection of hardware, software and procedures, pursuant to the principle of data protection through technology design and privacy-friendly default settings (Art. 25 GDPR).
Collaboration with contract processors and third parties:
If we reveal data to other persons or companies (contract processors or third parties) in the course of processing, transmit, or otherwise grant them access to this data, this only occurs on the basis of legal permission (e.g. if transmission of data to third parties such as payment service providers is required for contract performance according to Art. 6 para. 1 lit. b) GDPR, you have given your consent, a legal obligation provides for it, or on the basis of our legitimate interests (e.g. when deploying agents, web hosts, etc.).
If we instruct third parties to process data on the basis of a so-called “order data processing agreement”, this happens on the basis of Art. 28 GDPR.
Transfer of data to third countries:
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA), or if we use third-party services, or disclose or transfer data to third parties, this only occurs if we are required to do so in order to fulfil (pre)contractual obligations, on the basis of your consent, on the basis of a statutory requirement or on the basis of our legitimate interests. Subject to legal or contractual concessions, we only process data or allow data to be processed in a third country under the specific conditions outlined in Art. 44 ff. GDPR. This means that data is processed on the basis of special guarantees, for example the data protection level must be determined in accordance with the levels officially recognised by the EU (e.g. in accordance with the Privacy Shield Frameworks stipulated in the USA), or must comply with officially recognised contractual obligations (standard contractual clauses).
Rights of data subjects:
You are entitled to request confirmation whether the relevant data are processed, as well as information about this data, and other information and copies of the data pursuant to Art. 15 GDPR.
Pursuant to Art. 16 GDPR, you are entitled to request the completion or correction of data concerning your person.
Pursuant to Art. 17 GDPR, you are entitled to demand the immediate erasure of relevant data, or, alternatively, pursuant to Art. 18 GDPR, to request a limitation of data processing.
Pursuant to Art. 20 GDPR, you are entitled to request data relating to your person that you have provided to us and to request transfer thereof to other responsible persons.
Pursuant to Art. 77 GDPR, you are furthermore entitled lo lodge an appeal with the relevant supervisory authorities.
Right of cancellation:
Pursuant to Art. 7 para. 3 GDPR, you are entitled to revoke given consent for the future.
Right to object:
Pursuant to Art. 21 GDPR, you can at any time object to future processing of your personal data. Users can specifically object to having their data processed for the purposes of direct marketing.
Cookies and right to object in case of direct marketing:
Small files that are saved on users’ computers are known as “cookies”. Various data can be saved within cookies. A cookie primarily serves the purpose of saving data concerning the user (or the computer on which the cookie is saved) during and possibly after his visit to the online offering. Cookies that are deleted after a user leaves an online offering and shuts his browser are known as temporary cookies, “session cookies” or “transient cookies”. Such a cookie may contain data such as the content of a shopping cart in an online shop, or a log-in status. Cookies that remain saved after shutting the browser are known as “permanent” or “persistent” cookies. Particulars such as the log-in status can thus be saved when users revisit them after several days. User interests that are used for reach assessment or marketing purposes can equally be saved in such a cookie. “Third-party cookies” are cookies that are offered by provider other than the data controller who operates the online offer (the data controller’s own cookies are known as “first-party cookies”)
We can use temporary and permanent cookies un inform thereof within the framework of our privacy policy.
If users do not wish for cookies to be saved on their computers, we ask them to activate the appropriate option in their browser’s system preferences. You can delete stored cookies using your browser’s system preferences at any time. The exclusion of cookies can lead to function limitations in this online offering.
A general objection against the use of online marketing related cookies can be lodged for a multitude of services, especially in case of tracking, via the US site http://www.aboutads.info/choices/or the EU site http://www.youronlinechoices.com/.
Erasure of data:
According to the stipulations of Art. 17 and 18 GDPR, data processed by us is erased or restricted in its processing. Unless expressly stated otherwise in this privacy policy, data we save is erased as soon as they are no longer required for their intended purpose and no legal retention obligations are in the way of their erasure. If the data cannot be erased, because it is required for statutory and other legally permissible purposes, their processing is restricted. This means the data shall be blocked and not processed for other purposes. This applies for example to data required to be retained for purposes relating to commercial or fiscal law.
According to legal requirements in Germany, the retention period is 10 years pursuant to Art. 147 para. 1 of the German Fiscal Code (Abgabeordnung, AO), and Art. 257 para. 1 nos. 1 and 4, para. 4 of the German Commercial Code (Handelsgesetzbuch, HGB) (trading books, inventories, opening balances, annual accounts, commercial letters, accounting records, etc.), as well as 6 years pursuant to Art. 257 para. 1 nos. 2 and 3, para. 4 of the German Commercial Code (business letters).
According to legal requirements in Austria the retention period is 7 years pursuant to § 132 para. 1 of the Austrian Fiscal Code (Bundesabgabeordnung, BAO) (accounting documents, receipts/invoices, accounts, records, business papers, statement of income and expenses, etc.), 22 years in connection with real estate, and 10 years in the case of documents relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-EU companies in EU Member States for which the Mini-One-Stop-Shop (MOSS) is used.
Business-related processing:
In addition, we process
- Contract data (e.g. subject matter of the contract, duration, customer category).
- Payment data (e.g. bank details, payment history)
from our customers, interested parties and business partners, for the purpose of contract performance, services and customer care, marketing, advertising and market research,
Hosting:
Hosting services used by us serve the provision of the following services: Infrastructure and platform services, computing capacity, data storage, databank services, security services, as well as technical maintenance that we deploy for the operation of this online offering.
In doing so, we, or our hosting service provider, process basic data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors to this online offering. The legal basis for this is our legitimate interest in the efficient and secure provision of this online offering pursuant to Art. 6 para. 1 lit. f) GDPR in conjunction with Art. 28 GDPR (conclusion of order data processing agreement).
Collection of log-in data and log files:
On the basis of Art. 6 para. 1 lit. f) GDPR, we, or our hosting service provider, collect data regarding every access to the server that contains this service (so-called server log files). Access data include the name of the website visited, the file accessed, the date and time of the visit, the volume of data transferred, notification of a successful visit, the browser type and version, the user’s operating system, the referring URL (previously visited site), the IP address and the querying provider.
For security reasons (e.g. for the investigation of improper or fraudulent use), log file information is stored for a duration of no more than 7 days, then deleted. Data which must be stored for purposes of documentation is excluded from deletion until the event in question is fully clarified.
External payment service providers:
We use external payment service providers through whose platforms we and our users can complete payment transactions. These are direct debit via Paymill (https://www.paymill.com/de/datenschutz), Visa (https://www.visa.de/datenschutz), Mastercard (https://www.mastercard.de/de-de/datenschutz.html).
As part of the fulfilment of contracts, we employ payment service providers on the basis of Art. 6 para. 1 lit. b) GDPR. Incidentally, we use external payment service providers on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. b) GDPR in order to offer our users effective and secure payment options.
Among the data processed by the payment service providers are inventory data such as name and address, bank details such as bank account numbers or credit card numbers, passwords, TANs and checksums, as well as contract, summary and recipient-related information. This information is required to complete the transactions. However, the data entered will be processed and stored exclusively by the payment service providers. That is, we do not receive any account or credit card related information, but only information with confirmation or negative confirmation of payment. The data may be transmitted by the payment service providers to credit reporting agencies. The aim of this transmission is the completion of identity and/or credit checks. For this purpose, we refer you to the privacy policy and terms and conditions of the payment service providers.
For payment transactions, the privacy policies and terms and conditions of the respective payment providers shall be valid, which can be consulted within the respective websites or transaction applications. We also refer you to these for further information and assertion of your rights of revocation, information and other rights of data subjects.
Administration, financial accounting, office organisation, contact administration:
We process data within the framework of administrative tasks, and organisation of our operations, financial accounting and compliance with statutory requirements, such as archiving. In so doing, we process the same data as in the course of provision of our contractual services. The basis for processing are Art. 6 para. 1 lit. c) GDPR, Art. 6 para. 1 lit. f) GDPR. Customers, interested parties, business partners and site visitors are affected by processing. The purpose of, and our interest in processing is in the administration, financial accounting, office organisation and archiving of data, thus tasks that serve the maintenance of our business activities, performance of our functions and performance of our services. Deletion of data with a view to contractual services and contractual communication correspond to the statements made in these contractual activities.
We thereby disclose or transfer data to fiscal authorities, consultants, such as tax advisors or auditors, as well as fees offices and payment service providers.
Furthermore, on the basis of our business interests, we store information regarding suppliers, organisers and other business partners, e.g. for later contact. Such predominantly company-related data is usually stored permanently.
Registration function:
Users can create a user account. As part of the registration process, the required mandatory information is communicated to users and processed for purposes of providing the user account. The legal basis for this is Art. 6 para. 1 lit. b) GDPR. The processed data include in particular the log-in information (name, password and an email address). The data entered as part of registration will only be used for the purposes of facilitating use of the user account and its purpose.
Users may be informed by email about information relevant to their user account, such as technical changes. If users have terminated their user account, their data will be erased with respect to the user account, subject to a statutory retention requirement. It is the responsibility of the users to secure their data upon termination before the end of the contract. We are entitled to irretrievably erase all user data stored during the term of the contract.
As part of the use of our registration and subscription functions as well as the use of the user account, the IP address and the time of the respective user action will be stored. The legal basis for this storage is our legitimate interests, as well as the protection of the user against misuse and other unauthorised use. These data are not transferred to third parties, unless it is necessary for the prosecution of our claims or there is a legal obligation pursuant to Art. 6 para. 1 lit. c) GDPR. IP addresses will be anonymised or erased after 7 days at the latest.
Contact:
When contact is made with us (e.g. via contact form, email, telephone or social media), user data is processed for the processing and implementation of the enquiry pursuant to Art. 6 para. 1 lit. b) GDPR. User information can be stored in a customer relationship management system (“CRM system”) or similar enquiry organisation.
We delete the information once it is no longer required. We review necessity every two years; in addition, legal archiving obligations apply.
Newsletter:
The following information is intended to provide information on the content of our newsletter, the registration process, the distribution process, the statistical evaluation process and your right to object. When you subscribe to our newsletter, you acknowledge that you have agreed to receive the newsletter and that you agree with the processes that have been described.
Content of the newsletter: We send the newsletter, emails and other electronic messages with advertising information (hereinafter referred to as ‘newsletter’) only with the recipient’s consent or if we have been granted legal permission to do so. The content which is precisely defined within the registration process applies when obtaining the user’s consent. Our newsletter also contains information about our services and our company.
Double opt-in and data logging: A double opt-in process is used when users register to receive our newsletter. This means that you will receive an email after registering which asks you to confirm your registration. This confirmation is necessary so that it is not possible for people to log in with external email addresses. New registrations to the newsletter are logged in order to verify that the registration process complies with the legal requirements. This involves storing the IP address and time that the new user registers and confirms the registration. Changes to any of your data that is stored by the email marketing service are also logged.
Registration details: You only need to provide your email address when you register to receive the newsletter. Optionally, we ask you to provide a name for the purposes of addressing the newsletter to you personally.
The dispatch of the newsletter and the related tracking is based on the consent of the recipient pursuant to Art. 6 para. 1 lit. a) and Art. 7 GDPR in conjunction with Art. 7 para. 2 no. 3 of the German Unfair Competition Act (Gesetz gegen unlauteren Wettbewerb, UWG), and on the basis of statutory permission pursuant to Art. 7 para. 3 UWG.
The logging of the registration process is based on our legitimate interests pursuant to Art. 6 para. 1 lit. f) GDPR. Our prime goal is to deploy a user-friendly and secure newsletter system that both serves our commercial interests and meets our users’ expectations, and furthermore enables us to prove consent.
Cancelation/revocation - You can cancel your subscription to our newsletter i.e. revoke your consent, at any time. You will find an unsubscribe link at the end of each newsletter. We may save the submitted email addresses for up to three years based on our legitimate interests before we delete them in order to prove prior consent. The processing of this data is limited to the purpose of the potential defence against claims. You may make an individual cancellation request at any time, provided that you simultaneously confirm your prior consent.
Newsletter tracking:
The newsletters contain what is known as a web beacon, which is a pixel-sized file called up by our server, or the by server of the email marketing provider insofar as we employ such a service, when the newsletter is opened. Technical information such as information on your browser, your operating system and IP address are collected at the time the file is called up.
This information is used to facilitate technical improvements in our services by means of gathering technical data, information on target groups and their reading behaviour by analysing access times and the locations from which readers call up the files (determined by means of IP addresses). Further statistical analysis includes determining whether the newsletter has been opened, when it was opened and which links have been clicked. information can be matched to individual newsletter recipients due to technical reasons. However, neither we nor the email marketing service, insofar as we employ such a service, intends to monitor individual users. The main purpose of this analysis is to identify the reading habits of our users and to tailor our content to their requirements or to publish content that matches the interests of our readers.
Google Analytics:
On the basis of our legitimate interests (i.e. interest in analysis, optimisation and efficient operation of our online offering), we use Google Analytics, a web analytics service by Google LLC (“Google”) pursuant to Art. 6 para. 1 lit. f) GDPR. Google uses cookies. The information about the user’s use of this website gathered by the cookie is, as a rule, transmitted to a Google server in the USA and stored there.
On our behalf, Google will use this information to evaluate use of our online offering by users, to collate reports on activities within this online offering and to provide us with further services related to the use of this online offering and internet use. Pseudonymous user profiles of users can thereby be generated from processed data.
We only use Google Analytics with activated IP anonymisation. This means that your IP address will be abbreviated by Google within the member states of the European Union or in other countries that have signed the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there.
The IP address transmitted by your browser will not be merged with any other Google data. Users can prevent the storage of cookies by changing the settings in their browser software accordingly. You can also prevent the collection of data about your visit by setting an opt-out cookie. If you wish to prevent the collection of any of your data when visiting this website in future, please click on this link.
The personal data of users will be erased or anonymised after 14 months.
Online presence in social media:
We maintain an online presence within social media and platforms, in order to be able to communicate with customers, interested parties and users that are active there, and to inform them of our services. When accessing the respective networks and platforms, the terms of use and data processing regulations of the respective provider apply.
Unless otherwise specified in our privacy policy, we process the data of users if they communicate with us within the social networks and platforms, e.g. create contributions on our online presence, or send us messages.
Inclusion of services and content from third parties:
On the basis of our legitimate interests (i.e. interest in analysis, optimisation and efficient operation of our online offering in terms of Art. 6 para. 1 lit. f) GDPR), we use third -party content or service offerings in order to include their contents and services, such as videos or fonts (hereinafter “contents”).
This always takes for granted that third-party providers of such content detect users’ IP address, because they cannot send contents to their browser without the IP address. This means the IP address is needed to display the content in question. We make every attempt to use only the type of content where the supplier only uses the IP address to deliver the content. Third-party providers can furthermore use so-called pixel tags (invisible graphics, also known as “web beacons” for statistical or marketing purposes. Through these “pixel tags”, information such as visitor traffic on the pages of this website can be processed. Pseudonymous information can furthermore be stored in cookies on the users’ device and may contain technical information on the browser and operating system, referring websites, visiting time, as well as additional information regarding the use of our online offering, and merged with such information form other sources.
Vimeo:
We may embed videos from the “Vimeo” platform, provided by Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA. Privacy policy: https://vimeo.com/privacy. Please note that Vimeo may use Google Analytics. We hereby refer you to Google’s privacy policy (https://www.google.com/policies/privacy), as well as opt-out options for Google-Analytics (http://tools.google.com/dlpage/gaoptout?hl=de) and Google’s data usage settings for marketing purposes (https://adssettings.google.com/).
YouTube:
We embed videos from the “YouTube” platform, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Google Fonts:
We embed fonts (“Google Fonts”), provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Google Maps:
We embed maps from the service “Google Maps”, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may include, in particular, users' IP addresses and location data, which, however, are not collected without their consent (usually as part of the settings of their mobile devices). These data may be processed in the USA. Privacy policy: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Compiled using Datenschutz-Generator.de by RA Dr. Thomas Schwenke
